CVE-2025-27509
published 2025-03-06CVE-2025-27509: fleetdm/fleet is an open source device management, built on osquery. In vulnerable versions of Fleet, an attacker could craft a specially-formed SAML response…
PriorityP356critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.62%
45.3th percentile
fleetdm/fleet is an open source device management, built on osquery. In vulnerable versions of Fleet, an attacker could craft a specially-formed SAML response to forge authentication assertions, provision a new administrative user account if Just-In-Time (JIT) provisioning is enabled, or create new accounts tied to forged assertions if f MDM enrollment is enabled. This vulnerability is fixed in 4.64.2, 4.63.2, 4.62.4, and 4.58.1.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fleetdm | fleet | < 4.58.1 | 4.58.1 |
| fleetdm | fleet | — | — |
| fleetdm | fleet | — | — |
| fleetdm | fleet | — | — |
| github.com | fleetdm_fleet_v4 | >= 0 < 4.53.2 | 4.53.2 |
| github.com | fleetdm_fleet_v4 | >= 4.54.0 < 4.58.1 | 4.58.1 |
| github.com | fleetdm_fleet_v4 | >= 4.62.0 < 4.62.4 | 4.62.4 |
| github.com | fleetdm_fleet_v4 | >= 4.63.0 < 4.63.2 | 4.63.2 |
| github.com | fleetdm_fleet_v4 | >= 4.64.0 < 4.64.2 | 4.64.2 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Fleet has SAML authentication vulnerability due to improper SAML response validation in github.com/fleetdm/fleet
osv·2025-03-10
CVE-2025-27509 Fleet has SAML authentication vulnerability due to improper SAML response validation in github.com/fleetdm/fleet
Fleet has SAML authentication vulnerability due to improper SAML response validation in github.com/fleetdm/fleet
Fleet has SAML authentication vulnerability due to improper SAML response validation in github.com/fleetdm/fleet.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/fleetdm/fleet/v4 before v4.53.2, from v4.54.0 before v4.58.1, from v4.62.0 before v4.62.4, from v4.63.0 before v4.63.2, from v4.64.0 before v4.64.2.
GHSA
Fleet has SAML authentication vulnerability due to improper SAML response validation
ghsa·2025-03-06
CVE-2025-27509 [CRITICAL] CWE-285 Fleet has SAML authentication vulnerability due to improper SAML response validation
Fleet has SAML authentication vulnerability due to improper SAML response validation
### Summary
A vulnerability in Fleet’s SAML authentication handling could allow an attacker to forge authentication assertions and gain unauthorized access to Fleet. In certain configurations, this could result in the creation of new user accounts, including administrative accounts. This issue affects Fleet deployments using single sign-on (SSO).
### Impact
In vulnerable versions of Fleet, an attacker could craft a specially-formed SAML response to:
- Forge authentication assertions, potentially impersonating legitimate users.
- If Just-In-Time (JIT) provisioning is enabled, the attacker could provision a new administrative user account.
- If MDM enrollment is enabled, certain endpoints could be used
OSV
Fleet has SAML authentication vulnerability due to improper SAML response validation
osv·2025-03-06
CVE-2025-27509 [CRITICAL] Fleet has SAML authentication vulnerability due to improper SAML response validation
Fleet has SAML authentication vulnerability due to improper SAML response validation
### Summary
A vulnerability in Fleet’s SAML authentication handling could allow an attacker to forge authentication assertions and gain unauthorized access to Fleet. In certain configurations, this could result in the creation of new user accounts, including administrative accounts. This issue affects Fleet deployments using single sign-on (SSO).
### Impact
In vulnerable versions of Fleet, an attacker could craft a specially-formed SAML response to:
- Forge authentication assertions, potentially impersonating legitimate users.
- If Just-In-Time (JIT) provisioning is enabled, the attacker could provision a new administrative user account.
- If MDM enrollment is enabled, certain endpoints could be used
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-03-06
Published